Privacy Policy
Habsy Inc. – Privacy Policy
Habsy Inc. (“Habsy,” “we,” “us,” “our”) provides habsy.ai, an AI-powered intelligent business card manager that helps professionals capture, organize, and enrich contacts using artificial intelligence, machine learning, and computer vision. We are committed to protecting the privacy and security of personal information processed through our services.
This Privacy Policy explains what personal information we collect, how we use it, how we share it, how we protect it, and what choices and rights you have when you:
● Visit our website (https://habsy.ai/)
● Use the Habsy Business Card Manager mobile or desktop app (“App”)
● Access related tools, APIs, or web interfaces
● Interact with our sales, support, or marketing teams
Together, these are referred to as the “Service.”
By installing the App, creating an account, or using the Service, you acknowledge that you have read and understood this Privacy Policy and, where required by law, consent to our processing of your personal information as described here. If you do not agree, please do not install the App, create an account, or use the Service.
Last Updated: December 01, 2025
1. Who We Are
This Privacy Policy applies to Habsy Inc. in relation to the habsy.ai service. Habsy generally acts as:
● A “controller” (or “organization”) for personal information we collect directly from users and website visitors.
● A “processor” (or “service provider”) when we process personal information on behalf of a customer or account holder (for example, where a business or individual user uploads or scans contact information into Habsy for their own business or professional use).
Where we act as a processor/service provider, our processing is governed by the applicable contract and any Data Processing Addendum (DPA) with that customer.
2. What habsy.ai Does – Service Description
habsy.ai is a cloud-based SaaS platform that securely processes and manages professional contact information for individual users and enterprise customers. Key features of the Service include:
2.1 Business Card Capture & Digitization
● AI-powered mobile scanning for fast business card capture.
● Batch scanning of multiple business cards at once.
● Advanced OCR to extract key details (name, title, company, phone, email, address, social profiles, website).
● Real-time OCR accuracy with an interface for manual verification and edits.
● Event badge scanning (supports VCF and text-based badges).
● Manual contact entry as an alternative to scanning.
● QR code scanning for instant digital business card sharing and contact capture.
● Audio notes and voice capture to add context or reminders to contacts.
2.2 Person Enrichment Engine
● Publicly available professional information (where permitted by law and the source) may be collected to provide additional context about contacts.
● Public profile and summary extraction (where permitted by the source and law) to generate AI-based professional bios.
● Career history and experience mapping (job titles, companies, tenure).
● Professional insights including decision-maker identification and key professional highlights.
● Visual profile photos and context (from public sources or user-uploaded) to enhance contact profiles.
2.3 Company Enrichment Intelligence
● Publicly available company information (including web presence, social channels, and notable public references such as press mentions and milestones) may be collected to enrich company profiles.
● Company information extraction and enrichment for organizations related to your contacts.
● Company overview, mission, vision, and services retrieval and mapping.
● Organizational hierarchy and leadership info (where publicly available).
● Industry classification and business intelligence about the company.
● Office locations and public contact details for the company.
2.4 Contact Management & Organization
● Advanced tagging and segmentation of contacts for better organization.
● Custom fields to store personalized contact details.
● Multi-device synchronization (iOS, Android, web) with real-time updates.
● Offline access for viewing and managing contacts even without internet connectivity.
● Contact notes, voice notes, reminders, and follow-up scheduling to help maintain relationships.
● Multi-language support for business cards in various languages.
● User data export and deletion capabilities to maintain control over your data.
2.5 Relationship & Networking Features
● Follow-up reminders and scheduling tools to prompt timely outreach.
● Contact segmentation and advanced filtering to focus on key relationships.
● Contact export and sharing in standard formats (e.g., CSV, VCF) or CRM-ready formats.
2.6 Platform Integration & Portability
● Integration-ready architecture for CRM and other productivity tools.
● Data export in standard formats (CSV, VCF) for portability.
● APIs and webhooks available for enterprise workflows (where enabled).
3.Our Security & Compliance Framework (High-Level)
Habsy operates an Information Security Management System (ISMS) designed to align with leading security and privacy frameworks, including:
● SOC 2 Type II (AICPA Trust Services Criteria – Security, Availability, Confidentiality, Privacy)
● ISO/IEC 27001:2022 (International Standard for Information Security Management)
● PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act)
● GDPR (EU/EEA General Data Protection Regulation)
● CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
● DPDPA (India’s Digital Personal Data Protection Act)
We use secure, industry-standard cloud infrastructure and follow best practices in:
● Access control and identity management
● Encryption of data in transit and at rest
● Network and application security
● Logging, monitoring, and incident response
● Vendor risk management
● Regular security reviews and continuous compliance monitoring
Note: We do not publish detailed internal infrastructure or vendor lists on this public page (to reduce security and competitive risks). However, enterprise customers and prospects can request more detailed security and compliance information (e.g., security whitepapers, data flow diagrams) under NDA by contacting us.
4. Personal Information We Collect
Below are the categories of personal information we collect to deliver habsy.ai, along with the purposes and legal bases for each category.
4.1 Account & Profile Information
Data Collected: Full name; email address; encrypted password (if not using SSO); organization name; profile photo (if uploaded); account preferences (including language, time zone, feature settings).
Purpose: Account creation, login, identity verification, profile setup, service delivery, security notifications, and account recovery.
Legal Basis: Contract performance.
4.2 Business Card Content & Contact Information
Data Collected: Contact names; job titles; company names; phone numbers; email addresses; physical addresses; websites and social media links; QR codes and event badges; scanned business card images; contact profile photos (from public sources or user-uploaded); manual contact entries; custom labels/tags; notes, reminders, and voice memos.
Purpose: Core business card digitization and OCR extraction, contact storage and syncing, relationship tracking, setting reminders, associating voice memos, offline access, and user-initiated sharing/export.
Legal Basis: Contract performance (for core functions); consent for voice memos/audio capture where required.
4.3 Enriched Person Data (AI-Generated)
Data Collected: Public professional profile data; AI-generated professional summaries and bios; career history (titles, companies, tenure); educational background (if publicly available); professional skills and role information; public social media presence.
Purpose: Contact enrichment, providing networking context, decision-maker identification, and business intelligence.
Legal Basis: Legitimate interests (providing useful context from publicly available data).
4.4 Enriched Company Data (AI-Generated)
Data Collected: Company name and description; industry classification and estimated size; office locations and public contact details; mission, vision, products/services (if public); organizational structure and leadership information (if available); notable public information (e.g., press, major milestones).
Purpose: Company intelligence and organizational context to support networking and sales insights.
Legal Basis: Legitimate interests (using publicly available or licensed data).
4.5 Device & Technical Data
Data Collected: IP address; device identifiers (e.g., OS-level advertising IDs, where applicable); device type/model, OS version, browser type; app version, screen resolution, locale/language settings; pages or screens visited, features used, time spent, and navigation patterns; button clicks, search queries, export/sharing activity; approximate geolocation (when enabled or consented to).
Purpose: Ensure app functionality and compatibility, security and fraud monitoring, abuse prevention, session management, analytics, performance/error detection, personalization, and to support optional location-based features.
Legal Basis: Contract performance; legitimate interests (security and service improvement); consent (for location data and certain analytics in specific jurisdictions).
4.6 Device Permissions (With Consent)
Permissions Requested:
● Notifications – to send reminders, follow-up prompts, and essential service or security notifications related to the use of the Service.
● Camera – for card, badge, and QR code scanning.
● Photo/Media Library – for importing card images.
● Contacts – for importing or exporting contacts.
● Microphone – for voice notes.
● Location – for optional contextual/location-based features.
(You can manage these permissions in your device settings at any time.)
Purpose: Enable core app functionality (scanning, importing, voice notes) and optional contextual features.
Legal Basis: Explicit consent (granular, per permission; revocable via device settings).
4.7 Communication & Interaction Data
Data Collected: Support emails and support tickets; in-app support messages; feedback and feature requests; bug reports and user-submitted logs; email open/click rates; marketing email engagement; newsletter preferences and opt-in/opt-out history.
Purpose: Customer support and troubleshooting, service improvement, incident investigation, marketing communications (when opted-in), and measuring communication effectiveness.
Legal Basis: Contract performance; legitimate interests (support and service improvement); consent (for marketing communications where required).
4.8 Transaction & Subscription Data
Data Collected: Subscription plan details; billing address (for invoicing); invoices and transaction IDs; subscription status, renewal and cancellation dates.
Purpose: Billing and subscription management, payment processing, invoicing, renewal management, refunds, fraud prevention, and financial/tax compliance reporting.
Legal Basis: Contract performance; legal obligations (e.g., financial and tax record-keeping); legitimate interests (fraud prevention and operational efficiency).
How payments are handled: We do not directly collect or store full payment card details (e.g., full card number or CVV). Payments are processed via globally trusted, PCI-DSS–compliant third-party payment processors (e.g., Stripe or similar). These providers handle your card information on their systems and only share limited metadata with us so we can confirm payment status, issue invoices/receipts, manage subscription renewals, and handle refunds or disputes.
4.9 Integration & API Data
Data Collected: Integration configuration details and authorization scopes; API tokens/keys for integrations (stored securely and encrypted when applicable); records of exported contacts or activities to connected systems; webhook URLs and API usage logs.
Purpose: Enable CRM integrations, API-based workflows, webhooks, and data portability for power users and enterprise needs.
Legal Basis: Contract performance; consent (at the time of authorizing each integration).
4.10 Diagnostic, Security & Audit Data
Data Collected: Error and crash logs; performance metrics; security event logs (e.g., logins, access changes, permission updates); API request logs and session IDs; multi-factor authentication (MFA) records and failed login attempts; suspicious activity alerts and account risk signals.
Purpose: Security and threat monitoring, incident response, unauthorized access prevention, fraud detection, vulnerability management, uptime monitoring, performance optimization, debugging, compliance auditing, and legal requirements.
Legal Basis: Legitimate interests (ensuring security and reliability); legal obligations; contract performance.
4.11 Cookies & Tracking Technologies
Data Collected: Session cookies; preference cookies; analytics cookies; web beacons; local storage items.
Purpose: Session management and authentication, remembering preferences, analytics and product improvement, and measuring marketing performance.
Legal Basis: Contract performance (for essential cookies); legitimate interests (product improvement and security); consent (for analytics/marketing cookies where required by law).
4.12 Data We Do Not Intentionally Collect
We do not intentionally collect or require certain sensitive categories of data, including:
● Full credit card numbers or CVV codes
● Government-issued ID numbers (e.g., SIN, SSN, passport numbers)
● Medical or health information
● Biometric identifiers
● Data about children (individuals under the age of 16)
● Precise or background geolocation tracking without explicit opt-in
If you believe you have accidentally provided such information, please contact us at privacy@habsy.ai
5. How We Use Personal Information
We use personal information strictly for the purposes described above. In summary, we process personal information in order to:
● Provide and operate the habsy.ai Service
● Enable AI-powered OCR and enrichment features
● Secure and protect user accounts and our platform
● Support and communicate with you (customer support, notifications, etc.)
● Improve and innovate our product
● Meet legal, regulatory, and contractual obligations
We do not use your business card or contact data to build advertising profiles for third parties, and we do not sell personal information. We also will not use your data for materially different purposes without explaining the new purpose to you and, where required, obtaining your consent.
6. AI, OCR, and Enrichment – How We Use It
We use artificial intelligence, machine learning, and computer vision technologies to:
● Recognize and extract text from business card images and event badges
● Normalize and structure contact and company information
● Enrich contacts with publicly available and licensed data
● Generate summaries and contextual information to help you understand and prioritize relationships
We design these systems with privacy and security controls. Importantly, we do not use your private business card data to train third-party models in any way that would expose your data to other customers.
Please note that AI-generated and enriched information may occasionally be incomplete, outdated, or inaccurate. These features are intended to assist you, and should be used in combination with your own judgment.
7. Cookies and Similar Technologies
We use cookies and similar tracking technologies on our website and certain web-based modules to:
● Maintain sessions and login states
● Remember your preferences and settings
● Analyze usage and performance of our services
● Measure marketing campaign effectiveness and referrals
Where required by law (e.g., in the EU/UK), we will present a cookie banner to obtain consent for non-essential cookies. You can adjust your cookie preferences at any time via our website’s cookie controls (if available) or through your browser settings (by blocking or deleting cookies).
8. How We Share Personal Information
We do not sell your personal information. We share personal data only in a few limited ways:
8.1 Service Providers – We engage carefully vetted third-party service providers to help operate and support the Service (for example, cloud hosting, analytics, payment processing, email delivery, customer support, and compliance services). We do not publicly list all providers or technologies here for security and competitive reasons. However:
● All service providers are bound by confidentiality and data protection obligations.
● They may only process personal information on our instructions and for the purposes described in this Policy.
● We assess these providers for strong security and privacy practices.
● Enterprise customers may request a detailed list of our subprocessors or other documentation under NDA (contact privacy@habsy.ai for such requests).
8.2 Legal, Security, and Protection of Rights – We may disclose personal information if we reasonably believe it is necessary to:
● Comply with applicable laws, regulations, or legal processes (e.g., court orders or subpoenas)
● Respond to lawful requests from public authorities (including to meet national security or law enforcement requirements)
● Enforce our agreements and terms
● Protect the rights, property, or safety of Habsy, our users, or others
● Detect, investigate, or prevent fraud, security incidents, or abuse
8.3 Business Transfers – If Habsy is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to a successor or affiliate as part of that transaction, under the condition that the data remains protected consistent with this Privacy Policy and applicable law.
9. International Data Transfers
We operate on secure cloud infrastructure and may process personal information in multiple regions to ensure performance and reliability. When personal data is transferred across borders, we implement appropriate safeguards – such as contractual data protection clauses (Standard Contractual Clauses where applicable) and encryption – to protect the data and comply with applicable laws.
If you are located in a region with data transfer restrictions (for example, the EU/EEA, UK, etc.), we rely on approved transfer mechanisms such as Standard Contractual Clauses (SCCs) or other lawful bases to facilitate international data transfers.
Enterprise customers can request more details about our international transfer safeguards if needed.
10. Security Measures
We apply a combination of organizational, technical, and physical safeguards to protect personal information. Key security measures include:
● Encryption in transit and at rest: All data is encrypted in transit (using TLS 1.2 or higher) and at rest (using strong algorithms like AES-256).
● Strong access controls and MFA: We enforce role-based access control (RBAC) with least privilege, and require multi-factor authentication for access to sensitive systems.
● Network and application security: We maintain firewalls, network segmentation, and secure development practices to protect our infrastructure and applications.
● Security logging and monitoring: We log security-relevant events and continuously monitor systems with alerting for suspicious activities.
● Incident response planning: We have documented incident response and breach management procedures, covering incident detection, containment, investigation, notification (including compliance with the GDPR 72-hour breach notification rule where applicable), and post-incident review.
● Regular reviews and audits: We conduct regular security assessments and compliance reviews, and we continuously improve our Information Security Management System.
● Employee training and awareness: We provide privacy and security training to all staff and enforce strict policies on data handling and acceptable use.
We align our security program with industry standards such as SOC 2 Type II and ISO/IEC 27001:2022. We may share certain audit reports or certifications with qualified enterprise customers under NDA once available. While no system can be guaranteed 100% secure, we continuously work to monitor and strengthen our security posture.
11. Data Retention
We retain personal information only as long as necessary for the purposes described in this Privacy Policy or as required by law. In general:
● Account & profile data: Retained while your account is active and for a reasonable period after closure, unless a longer retention period is required by law.
● Business card images & contact data: Retained until you delete them or close your account. After deletion or account closure, such data is removed or de-identified in accordance with our data retention and backup policies.
● Security & diagnostic logs: Retained for a limited period (approximately 90 days, or as required by law) and then deleted or aggregated.
● Backups: Retained per our backup and disaster recovery policies, and not used for day-to-day processing except for recovery purposes.
We may retain aggregated or de-identified information (which cannot reasonably be linked back to an individual) indefinitely for analytics, research, or product improvement purposes.
12. Your Rights and Choices
Your privacy rights depend on your jurisdiction, but we aim to respect core privacy rights for all users. These rights may include:
12.1 Access, Correction, Deletion, Restriction – You may have the right to:
● Access the personal information we hold about you.
● Correct inaccurate or incomplete personal information.
● Delete personal information, subject to certain legal or contractual obligations.
● Restrict or Object to certain processing activities (for example, you may opt out of certain analytics or enrichment processing).
12.2 Data Portability – You may request a copy of your data in a machine-readable format (e.g., CSV, VCF, JSON) and, where technically feasible, have us transfer it to another service.
12.3 Marketing Communications – You can opt out of marketing emails at any time by clicking the “unsubscribe” link in those emails or by contacting us. (We will still send essential emails about transactions or security, even if you opt out of marketing.)
12.4 Region-Specific Rights – Depending on where you live, you may have additional rights:
● Canada (PIPEDA): You can contact the Office of the Privacy Commissioner of Canada if you have any unresolved privacy concerns.
● EU/UK (GDPR/UK GDPR): You have rights to access, rectification, erasure, restriction, objection, and data portability. You also have the right to lodge a complaint with your local Data Protection Authority.
● California (CCPA/CPRA): You may have rights to know, access, correct, and delete certain personal information, and to opt out of the “sale” or “sharing” of personal information as defined under California law. Habsy does not sell personal information and does not share personal information for cross-context behavioral advertising. You retain ownership and control of the data you upload to the Service
● India (DPDP Act / DPDPA): India’s Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 have been notified, with certain provisions taking effect in phases. Where applicable, data principals in India may have rights such as access to information about processing, correction, erasure, withdrawal of consent, and grievance redressal under the DPDP framework
12.5 How to Exercise Your Rights – To exercise any of your rights above, you can contact us as follows:
📧 privacy@habsy.ai
Subject line: “Privacy Request – [Access/Deletion/Correction/Portability/Objection]”
We may need to verify your identity for security purposes (for example, by confirming information associated with your account), and we will respond to your request within the timelines required by applicable law.
13. Children’s Privacy
The Service is intended for business and professional use and is not directed to children under 16 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you become aware that a child has provided personal information to us, please contact privacy@habsy.ai and we will take steps to delete such information.
14. Consent at Sign-Up, Installation, and Use
Before you install the App or create an account, you should understand what you are agreeing to.
14.1 What You Consent To – By installing the Habsy App, creating an account, or continuing to use the Service, you acknowledge and (where applicable) consent to the following:
● The collection and use of your personal information as described in this Privacy Policy, including account details, business card content, enriched data, and technical data.
● The use of AI, OCR, and enrichment technologies to digitize business cards, badges, and QR codes, and to enrich contact and company profiles using public or licensed data.
● The use of device permissions (camera, photos, contacts, microphone, location) as requested by your device’s operating system, for the purpose of enabling key app features.
● The use of secure cloud infrastructure and international data transfers, with appropriate safeguards, to host and process your information.
● The use of cookies and analytics as described in this Policy and, where required, as allowed by your cookie preferences.
● The receipt of essential communications (e.g. security alerts, account-related messages) and optional marketing communications when you opt in (with the ability to opt out at any time).
● The processing of third-party personal information that you provide to us (for example, contacts on business cards you upload), on the understanding that you have the necessary authorization or lawful basis to do so.
14.2 Withdrawing Consent – Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. You can withdraw consent by:
● Updating your preferences in the App or in your account settings (where such settings are available).
● Using the “unsubscribe” link provided in any marketing email.
● Changing your device or browser settings to revoke previously granted permissions (for example, disabling camera or location access for the App).
● Contact us at privacy@habsy.ai to request withdrawal of consent.
Please note that if certain processing is necessary for us to provide the Service (for example, basic account functionality or security logging), we may not be able to provide some features or continue the Service for you if you withdraw consent for those essential activities.
15. Third-Party Links and Services
Our website and App may contain links or integrations to third-party websites, applications, and services (for example, CRM systems, event platforms, or public professional profile sites). This Privacy Policy does not apply to information collected by those third parties, and we are not responsible for the privacy practices of any third-party services.
We encourage you to review the privacy policies of any third-party services that you choose to use or connect with through Habsy.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technologies, legal obligations, or business practices.
When we make material changes, we will:
● Update the “Last Updated” date at the top of this Policy; and
● Provide additional notice if required (for example, via email, an in-app alert, or a notice on our website), and obtain your consent to the changes if required by law.
If you continue to use the Service after an updated Privacy Policy takes effect, your continued use will constitute acceptance of the revised terms.
17. Our Governance, Risk & Compliance Program and Compliance Automation Partner
Habsy has implemented a formal Governance, Risk, and Compliance (GRC) program designed to align our internal security and privacy controls with globally recognized standards. To support this program, we work with a leading GRC and compliance automation provider trusted by SaaS and enterprise organizations to help manage continuous compliance, evidence collection, and audit readiness.
Our compliance automation program helps us to:
● Maintain a documented Information Security Management System (ISMS)
● Map internal controls to multiple frameworks (including SOC 2 Type II, ISO/ 27001:2022, GDPR, PIPEDA, CCPA/CPRA, and India’s DPDPA)
● Streamline evidence collection for key security controls (e.g., access reviews, logging, incident handling, training records)
● Continuously monitor control performance, track remediation, and maintain audit readiness
● Support independent third-party assessments and certifications
For security, competitive, and operational reasons, we do not publicly disclose all internal tooling or detailed compliance documentation on this page. Qualified enterprise customers and prospects may request additional compliance evidence (including engagement documentation and relevant control summaries) under NDA by contacting us.
17.1 Core Privacy and Security Principles
Our internal privacy and security framework is built on several core principles:
● Customer Ownership: You remain the owner of the data you upload to habsy.ai. We process your data only to provide the Service and do not claim ownership of your contacts or content.
● Transparency: We explain what we collect, why we collect it, and how we use and protect it.
● Security First: Personal information is protected using industry-standard encryption, access controls, and monitoring.
● Minimal Collection: We collect only the data that is necessary to operate and improve the Service, and to meet our legal obligations.
● User Control: You have meaningful control over your data, including the ability to access, correct, delete, export, or opt out of certain processing.
17.2 Key Safeguards Implemented
We have implemented a comprehensive set of technical and organizational measures as part of our security and privacy program. Key safeguards include:
Encryption: We apply strong encryption for data protection, including:
● Encryption of data at rest using robust algorithms (e.g., AES-256).
● Encryption of data in transit using modern TLS protocols (e.g., TLS 1.2 or higher).
Access Control & Identity Management: We enforce strict access controls, including:
● Role-based access control (RBAC) with least-privilege principles, ensuring staff can only access data necessary for their role.
● Multi-factor authentication (MFA) is required for all internal systems that handle personal information.
● Regular access reviews (e.g., quarterly) and rapid revocation of access when roles change or personnel depart.
Monitoring, Logging & Incident Response: We maintain vigilant oversight of our systems, including:
● 24/7 security monitoring of key systems and events.
● Comprehensive audit logging of access and key administrative actions, with defined retention periods.
● A documented incident response plan covering detection, containment, investigation, notification (including GDPR’s 72-hour breach notification requirement where applicable), and post-incident review.
Privacy by Design & Data Minimization: We integrate privacy into our development lifecycle, including:
● Conducting Data Protection Impact Assessments (DPIAs) when required and designing systems with privacy in mind.
● Data minimization practices that limit what data we collect, how long we retain it, and how it is used.
Training & Awareness: We promote a culture of security and privacy by:
● Providing regular training for employees on privacy and security best practices (with enhanced training for engineering and operations teams).
● Enforcing clear internal policies on acceptable use, customer data handling, and breach response procedures.
These safeguards are in place today and are continuously monitored and improved through our ongoing GRC program and compliance automation practices.
18. Certification Roadmap, Evidence of Compliance, and Trust & Security Page
Habsy distinguishes between having our internal controls in place and obtaining external certifications or attestations. We already operate the necessary controls and policies internally, and we are now pursuing formal third-party audits and certifications (which require set observation periods and independent verification).
18.1 Certification Roadmap and Timelines
As of December 2025, our target milestones are:
● DPDPA (India Digital Personal Data Protection Act): Status: Implementation in progress. Target: Official registration and third-party compliance verification by Q1 2026.
● SOC 2 Type II: Status: Controls internally implemented; evidence collection and observation period underway. Target: Completion of an independent SOC 2 Type II audit and report by Q1 2026.
● GDPR (EU General Data Protection Regulation): Status: GDPR compliance framework implemented (lawful bases, data subject rights processes, security measures, DPIA procedures). Target: External verification of GDPR compliance by Q1 2026.
● PIPEDA (Canada): Status: Aligned with all ten PIPEDA Fair Information Principles (access and correction procedures in place; breach notification framework documented). Target: External verification of PIPEDA compliance by Q1 2026.
● CCPA/CPRA (California): Status: Consumer rights (access, deletion, correction, opt-out, data portability) are implemented; opt-out mechanisms and preference settings are operational. Target: External verification of CCPA/CPRA implementation by Q1 2026.
● ISO/IEC 27001:2022: Status: ISMS fully implemented and operating; pre-audit preparation is in progress. Target: Achieve ISO/IEC 27001:2022 certification by Q1 2026.
These target dates reflect our current plans and may be adjusted based on audit scheduling or regulatory guidance.
18.2 Evidence and Third-Party Validation
To support customer due diligence (especially for enterprise or regulated clients), we can provide evidence of our compliance efforts. Available documentation may include:
● A Letter of Engagement with our compliance automation partner, confirming our active GRC program and the frameworks in scope (SOC 2, ISO 27001, GDPR, PIPEDA, CCPA/CPRA, DPDPA), as well as the partner’s role in continuous monitoring and audit preparation.
● Policy and control summaries, such as high-level overviews of our security and privacy controls, data protection safeguards, and incident response processes.
● Templates or outlines of key compliance documents (e.g., our Data Processing Addendum, Standard Contractual Clauses, etc.), where applicable.
Some materials may be provided under a Non-Disclosure Agreement (NDA) for security reasons. To request compliance documentation or evidence, please contact us at:
📧 privacy@habsy.ai
Subject line: “Request: Compliance Documentation”
18.3 Trust & Security Page
We are developing a dedicated Habsy Trust & Security webpage (planned to be available at habsy.ai/trust by Q1 2026). This page will provide:
● An up-to-date overview of our current certification status (e.g., SOC 2 Type II, ISO/IEC 27001:2022, GDPR alignment, PIPEDA, CCPA/CPRA, DPDPA compliance).
● A high-level description of our security and privacy controls.
● Information on how customers can request detailed audit reports (such as a SOC 2 Type II report) under NDA once those become available.
● Additional trust resources and FAQs to assist with vendor security assessments and questionnaires.
Until the Trust & Security page is live, this Privacy Policy and any documentation we provide directly serve as the primary sources of information about our security and compliance program.
18.4 No Change to Your Rights or Our Obligations
Our compliance program and certification efforts do not limit or reduce:
● Your rights under this Privacy Policy or under applicable data protection laws, nor
● Our obligations under those laws or any contracts we have with you.
You retain all the rights and choices described in Section 12 (Your Rights and Choices). If you have any questions about our compliance program (or anything in this Privacy Policy), you can always contact us at privacy@habsy.ai.
19. How to Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, our privacy practices, or our compliance roadmap, please contact us:
● Habsy Inc. – Privacy Team: 📧 privacy@habsy.ai
● General Inquiries (Habsy Service): 📧 contact@habsy.ai